[Standards] XMPP OAuth2 login at Google

Hannes Tschofenig hannes.tschofenig at gmx.net
Tue Sep 18 18:19:43 UTC 2012


On 09/18/2012 08:51 PM, Peter Saint-Andre wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 9/18/12 11:25 AM, Hannes Tschofenig wrote:
>> On 09/18/2012 08:21 PM, Peter Saint-Andre wrote:
>>>> (Btw, the current XMPP OAuth XEP is also insecure...)
>>> Calling it "current" is a bit of a stretch.:)  It was deferred
>>> for inactivity quite some time ago. At this point, any use of
>>> OAuth in XMPP would likely be based on the SASL mechanism.
>>
>> I didn't know.
>
> Well, Hannes, you can't know everything. ;-)

hmmm.

>
>> I even thought that it covered an entirely different use case,
>> namely between two endpoints rather than between the end host and
>> the XMPP server (whatever the right XMPP terminology here is).
>
> True, but it seems that few people are interested in those use cases
> (e.g., using OAuth for authorization to join a chatroom).
I had gotten the impression that XEP 235 
http://xmpp.org/extensions/xep-0235.html was motivated by the Yahoo 
FireEagle work.

My understanding that the usage was really end-to-end rather from the 
end host to the first hop. From a security point of view that makes a 
huge difference. So, XEP 235 wasn't really secure usage of OAuth in XMPP 
to begin with and that may have motivated them to change it.

I am saying this because I went through the same design exercise with 
the SAML SIP work. There, however, we ran into lots of problems with the 
way how SBCs prevent any useful security mechanism to work.

Ciao
Hannes




More information about the Standards mailing list